General

  • Target

    NEAS.8d07d9769a61406fae89642f8345914024d18ab303a6a47658d242273aafdd32.exe

  • Size

    262KB

  • Sample

    231106-12ebeshc73

  • MD5

    4eadd492253268de6bdf2244b965b9e2

  • SHA1

    31f93a90a4bc07cd6728016b7abebec3098a6267

  • SHA256

    8d07d9769a61406fae89642f8345914024d18ab303a6a47658d242273aafdd32

  • SHA512

    697c0754429342519c4d861901b75ef422a8992c6c66f2b17f90e9cd14815d17d61853043e11e36114b5a2da88ce1ce0c19cc43e7fcf6e5a623134ebe44c94d5

  • SSDEEP

    6144:Jz+obugLoTNsdkzpuD/7ictZiYLzQ3Xk0TRp:Fwg+NsdklYji4zQ3R

Malware Config

Extracted

Family

tofsee

C2

vanaheim.cn

jotunheim.name

Targets

    • Target

      NEAS.8d07d9769a61406fae89642f8345914024d18ab303a6a47658d242273aafdd32.exe

    • Size

      262KB

    • MD5

      4eadd492253268de6bdf2244b965b9e2

    • SHA1

      31f93a90a4bc07cd6728016b7abebec3098a6267

    • SHA256

      8d07d9769a61406fae89642f8345914024d18ab303a6a47658d242273aafdd32

    • SHA512

      697c0754429342519c4d861901b75ef422a8992c6c66f2b17f90e9cd14815d17d61853043e11e36114b5a2da88ce1ce0c19cc43e7fcf6e5a623134ebe44c94d5

    • SSDEEP

      6144:Jz+obugLoTNsdkzpuD/7ictZiYLzQ3Xk0TRp:Fwg+NsdklYji4zQ3R

    • Tofsee

      Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    • Windows security bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Creates new service(s)

    • Modifies Windows Firewall

    • Sets service image path in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks